Make sure DSA signing exponentiations really are constant-time

Abstract

TLS and SSH are two of the most commonly used proto- cols for securing Internet traffic. Many of the implemen- tations of these protocols rely on the cryptographic primi- tives provided in the OpenSSL library. In this work we dis- close a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signa- ture scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first pub- lished cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.